Employee's data security

[AccordingOne]

Hello there. 

 

I've found some data security issue in my workplace and I would like to hear/read someone's opinion about it. It may seem insignificant, but when you realize possible consequences you just can't simply ignore that. 

Thing is that every employee has an account that is supposed to serve to every HR related matter like informing about your absence, checking schedules, tracking your hours etc.
This account holds multiple personal information such as employee surname, phone number, e-mail,  address, id number, etc.

After a successful logout one can access account which was logged in to from given device, by simply going backward in a browser.
I just ran into it by accident, and you can imagine my facepalm when I found out about it.

The reason why is that serious IMO is that we have several common-use desktops which are frequently used to login to such account.
We have like thousands of employees and it's only one facility from dozens around a world. That means potential unwanted access to personal data of thousands of people. 

I'm just a regular employee, therefore I have no real impact on our company, I just send a ticket to tech support thou is not likely that they will react to it in any significant way.
Also, I will talk to GM tomorrow, maybe he will suggest employees not to use those desktops (for that purpose anyway). 

So, if anyone can say: how is that f***ing possible (from a technical standpoint) I would appreciate such a feedback. Is that due to how the site is handling postdata or what? 

It gets a little worse than that in some cases, but I don't want to give much more details until I'll get an official response from both GM and tech support.

[vanished]

Can you actually do anything on the page once you go back?  I suspect not.  While that is bad, it's probably not actually an authentication failure, it's just loading a cached page, so the content is at least read-only.  Of course, it shouldn't be readable at all - hitting back should send a request to fetch the page, which should make it realize you're not logged in and redirect you.  Clearly this was overlooked when developing it.

[Speed Weed]

Company protect your data is a joke these days. Data breach is a piece of cake for hackers because security to them is like a puzzle. Once you crack a tiny piece of puzzle then everything else will fall apart soon. 

 

Look at Equifax and this one popular hotel data breach exposed 500 millions customers info this year. 

[AccordingOne]

4 hours ago, Ryan_Vickers said:

Can you actually do anything on the page once you go back?  I suspect not.  While that is bad, it's probably not actually an authentication failure, it's just loading a cached page, so the content is at least read-only.  Of course, it shouldn't be readable at all - hitting back should send a request to fetch the page, which should make it realize you're not logged in and redirect you.  Clearly this was overlooked when developing it.

No, actually you cant, it sends you back immediately to authentication site if you click something else than go back or forward via browser navigation.
You can read and copy all the data you want thou. Which is already too much.

As I said that's a most common case, but in some other, it gets worse (in those it's partly employees fault, to be honest) you can do virtually anything.
You can even go as far as planning his / her holiday if you want.

[chiller15]

I work as an IT admin at secondary school in the UK. I have put in place as much security as I can to prevent external access/breaches and I have enforced account/group restrictions to certain parts of our network. However the main vulnerability to my network is the end user. We have had instances where a student has accessed a teacher's account because they knew the password (teacher had no idea how the student knew it) as well as users clicking links they ought to know they shouldn't.

 

I am doing my job as best as I can, including trying to be as secure as we can and improving our staff's understanding of security, but there's only so much that I can do.

[Radium_Angel]

39 minutes ago, AccordingOne said:

No, actually you cant, it sends you back immediately to authentication site if you click something else than go back or forward via browser navigation.
You can read and copy all the data you want thou. Which is already too much.

As I said that's a most common case, but in some other, it gets worse (in those it's partly employees fault, to be honest) you can do virtually anything.
You can even go as far as planning his / her holiday if you want.

Take screenshots of this issue in action, bring those along with you. That'll get more attention than just telling them about it.

[captain_to_fire]

2 hours ago, chiller15 said:

However the main vulnerability to my network is the end user.

All the time. It doesn't matter how good law enforcement or the business' security is if that nosy employee clicks that zip file from an unknown sender. 

[ThePD]

So the application your company is using is not clearing out session variables when you log out. The odds are if something so incredibly simple is being overlooked, there are way larger issues that haven't been seen.